Hacking away at Government

[William Knowles <wk () C4I ORG>]

http://web.lexis-nexis.com/more/cahners-chicago/11407/5907060/2

Governing Magazine
June, 2000
FEATURE; Page 76

"Fresno Means Business" is the first thing you see when you visit the
California city's Web page, and to emphasize the point, there is a
collage of pictures showing the downtown skyline and business people
working. The message, the collage says in so many words, is
"Development and Economic Vitality." So you can imagine city
officials' displeasure one day last November when the skyline and
business people were suddenly gone, replaced with a different message:
"Hacked by globher." It wasn't the first time Fresno's site had been
hacked. Three weeks earlier, another intruder had taken down the site
and replaced it with boastful gibberish and profanity. Fortunately,
during both incidents, no major damage was done, and each time the
city's Web team had the site cleaned up in less than an hour. "We
thought we were covered, but they knew the tricks to get into the
server," says Allen Smith, Fresno's webmaster. "If we had kept up with
Microsoft's security alerts, we would have been OK."

If officials in Fresno are a bit embarrassed by these incidents, they
have plenty of company.

According to records on Web site defacements kept by attrition.org, a
hacking watchdog, more than five dozen state and local governments or
agencies were attacked in the six months between November and April.
The day after the second hit on Fresno, for example, a hacker who goes
by the name "YTCracker" attacked one of the less likely targets in the
state of New York: the Department of Agriculture and Markets. Again,
no serious harm was done, although it also must have left some in the
department blushing. Among other things, the hacker scrawled the quote
"YTCracker is cool" under a picture of Governor George Pataki. "The
whole episode really woke us up to the possibility that even we can
get hacked," says Peter Gregg, a department spokesman. "We figured,
who'd want to hack us?"

By now, most state and local governments have staked out a presence on
the Internet, but in the race to get online, network security has been
something of an afterthought. What they're starting to find--some of
them the hard way--is that anyone on the Internet, even the most
obscure government agency, is a target for computer hackers. "It's
really a matter of when, not if, you'll be attacked," says Mark
Zajicek a computer security expert with the CERT Coordination Center
at Carnegie Mellon University. "Once you connect to the Internet, the
rest of the Internet is connected to you."

Fresno, like most places that have been hit by hackers so far, was
lucky: The site contained only such static information as press
releases, job listings and city phone numbers. This time around, the
hacker attacks amounted to little more than digital graffiti. The
damage, in fact, was probably easier to remove than spray paint from a
wall.

In the era of digital government, however, network security will only
increase in importance and complexity. Fresno, like nearly every
state, city and county, is looking into delivering services online,
from tax collection to issuing permits. It is an exciting development,
but the flip side is that each new service opens a channel into
government computer networks for hackers to exploit.

Web-enabled government not only exposes a new Achilles heel to
malicious hackers but also elevates the battle against them to a new
level. To hackers, a digital government is simply a juicier target.
There is more havoc to wreak by breaking in, and more notoriety to be
gained. To state and local governments, credibility is on the line:
The success or failure of their Web ventures will hinge on citizens'
faith in their security to use them. "Every time a state or local
government moves a new process into the cyber-domain, it raises
vulnerability," says Steven Trevino, an executive with Infrastructure
Defense Inc., a network security firm that is working with Public
Technology Inc. to assess the security needs of local governments.
"It's a risk-management proposition they've never had to deal with."

SNIFFING OUT HACKERS

The war on hackers, quite expectedly, has spawned a booming market for
security software and hardware. State and local governments are
installing firewalls to separate data on internal systems from what
goes up on the Web. Soon after being hacked, the New York agriculture
department stocked up on intrusion-detection software that can sniff
out a hacker's moves before any damage is done. The scary thing,
however, is that even vendors who sell the stuff admit that no amount
of network protection could keep out the smartest, most dedicated
hackers.

Of course, one doesn't even need to be a computer geek to be a hacker
these days. Anyone can learn the basics by visiting a number of Web
sites that essentially teach "hacking for dummies" lessons. Even a lot
of the technical work of hacking has been automated, in programs that
can be downloaded off the Internet for free.

In many ways, network security is a cat-and-mouse game. Nearly every
piece of technology running the Internet today has a bug in it
somewhere for hackers to exploit. Companies such as Microsoft are
continually issuing security warnings about holes in their software,
and offering "patches" that fix the problem. Of course, the bad guys
pay attention to these warnings too, and use them as a road map for
breaking into systems that haven't been updated. "Just buying the
latest commercial products may give you a false sense of security,"
says Zajicek. "Unless you're continually upgrading, it's just a race
between your product and the latest attack methods."

While spending money on upgrading software and hardware can certainly
help, that is the easy part, security experts say. The hard part is
cultivating a management culture that recognizes the importance of
security and the urgency of addressing security issues quickly. The
political need to get more information and new services online as fast
as possible often trumps the practical need to have a well-fortified
site. Moreover, many state and local IT departments are chronically
understaffed, already tugged in a hundred different directions.

The lesson, management-wise, from a recent security incident in the
city of Sunnyvale, California, is that it pays to be proactive. Back
in February, at the same time that popular Web sites such as Yahoo!,
eBay and CNN.com were being shut down by so-called "distributed denial
of service" attacks, Sunnyvale's IT managers noticed that something
funny was happening to their site, too. Traffic suddenly shot up
six-fold, and engineers determined that much of the increased traffic
was coming from one particular address in Virginia. They immediately
took measures to block hits from that address, and the problem went
away.

Sunnyvale Chief Information Officer Shawn Hernandez says he's still
not sure whether the incident was related to the attacks on Yahoo! and
the others. And unlike those attacks, the increased traffic on
Sunnyvale's site never peaked high enough to shut it down. That's all
the more reason to take a proactive stance. "You have to constantly
monitor your network, be familiar with the level of traffic expected,
and zero in on that when it fluctuates," Hernandez says. "When you see
abnormal situations, you need to investigate and jump on it
immediately."

HIRING WHITE HATS

In that vein, security experts say that every government on the Web
should be aware of what its security weaknesses are. Some have taken
to hiring ethical hackers, or "white hats," who break into their
systems in order to assess what holes exist. Ideally, governments
should patch those holes up, or at bare minimum, monitor them closely,
and should have a plan for dealing with hacker attacks when they do,
inevitably, happen. Unfortunately, it is often not until a security
breach occurs that a more comprehensive security plan takes shape. By
then, of course, it is too late--although not too late to keep it from
happening again.

It took just 13 minutes last March for a hacker to break into the Web
page of the Oklahoma Department of Libraries. But it took six days for
the department to get the site back up. In the wake of the incident,
Web development officer Michael O'Hasson performed an extensive
security assessment and shared lessons from the episode at a state Web
managers' meeting.

The lessons read like a self-help pamphlet for techies. "Do not think
that obscurity will save you," says one. "Never assume that prior
security patches were done before," reads another. The other points
make clear the need to have contingency plans in place, such as having
a "summer home" for a Web site, an alternate place to host the site in
case of emergency.

In the meantime, the Oklahoma Department of Libraries--like Fresno and
a lot of other state and local agencies that thought they were
safe--can take comfort in the fact that this round with the hackers
has really been something of an exhibition match. It's the next round,
with confidential taxpayer data and credit-card numbers at stake, when
the score will really count. "The break-in right now is actually good
for us," says Allen Smith, the Fresno webmaster. "We don't have that
stuff out there now, but we're planning on it. Actually, it's good
timing, because it made us more aware of what we need to look at."

*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".